Feedback

Was this page helpful? Let us know how we can make it better.

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo protected services. When a user authenticates via the Duo Prompt, we'll check for the presence of a Duo device certificate on that endpoint. You can monitor access to your applications from devices with and without the Duo certificate, and optionally block access from devices without the Duo certificate.

Before enabling the Trusted Endpoints policy on your applications, you'll need to deploy the Duo device certificate to your managed devices. We've documented this process for some popular endpoint management systems. If you're using a different tool to manage your endpoints, use our generic Windows and Mac management integrations to deploy the Duo device certificate package.

Once a client authenticates to Duo with this certificate, it becomes associated with that particular endpoint. Therefore, you'll need to repeat the process of downloading and installing a unique Duo certificate from the Duo Admin Panel for each individual system.

Log in to the Duo Admin Panel and navigate to Trusted Endpoints Configuration.

If this is your first management integration, click the Configure Management Tools Integration button at the bottom of the page. If you're adding another management integration, click the Add Integration button you see instead.

These certificates expire one year from issuance. This is the best option for most Duo deployments.

7 days certificates

These certificates expire one week (seven days) from issuance. Select this option when you have users who need certificates reissued more frequently than the one year default. For example, you have virtual desktop users whose VDI endpoints are redeployed periodically, or a group of contractors who aren't expected to use the same workstations for a year.

Click Download Script. The actual name of the downloaded Python script will be similar to duo_cert_enrollment-2.0.py.

Copy the downloaded script to your Mac endpoint management system.

Create a software package for your macOS endpoints to run the Duo certificate enrollment Python script with sudo privileges.

Create a deployment job to run the Duo Python package on your macOS endpoints. It should run on the endpoint in the context of the logged-in user, not the workstation, so that the certificate gets added to the user's keychain.

This script enrolls the Mac OS client as a Duo trusted endpoint by obtaining a device certificate from Duo, and also configures Safari and Chrome (if present) to automatically select the Duo certificate during authentication.

We recommend running the script on your managed workstations at each user's logon, and also on a regular daily or weekly schedule to ensure timely renewal of the client's Duo certificate.

IMPORTANT! Make sure that your distribution job or scheduled task doesn't leave the Duo script behind on the Mac OS client in an easily-found location when done. If your end user has access to the script they could run it on other devices to obtain Duo certificates for those endpoints without your knowledge.

Windows Enterprise Asset Management Tool

In the Duo Admin Panel browser window, view the "Windows Enterprise Asset Management Tool" management tools integration. In the "Download the Deployment Files" section of the page (step 1.1), choose one of the certificate lifetime options:

1 year certificates

These certificates expire one year from issuance. This is the best option for most Duo deployments.

7 days certificates

These certificates expire one week (seven days) from issuance. Select this option when you have users who need certificates reissued more frequently than the one year default. For example, you have virtual desktop users whose VDI endpoints are redeployed periodically, or a group of contractors who aren't expected to use the same workstations for a year.

Click Download Batch File. The downloaded script name will be similar to duo_cert_enrollment.bat. Then, click the link in step 2.2 to download the enrollment executable file, whose name will be like duo_cert_enrollment-cmsv3-5.0.exe.

Create a software package for your Windows endpoints to run the Duo certificate enrollment batch script (which calls the Duo certificate enrollment executable). Your package should include both files.

Create a deployment job to run the Duo certificate software package on your Windows endpoints. It should run on the endpoint in the context of the logged-in user, not the workstation, so that the certificate gets added to the user's Personal certificate store.

This script enrolls the Windows client as a Duo trusted endpoint by obtaining a device certificate from Duo, and also configures Internet Explorer to automatically select the Duo certificate during authentication.

We recommend running the script on your managed workstations at each user's logon, and also on a regular daily or weekly schedule to ensure timely renewal of the client's Duo certificate.

IMPORTANT! Make sure that your distribution job or scheduled task doesn't leave the Duo script and executable behind on the Windows client in an easily-found location when done. If your end user has access to the script and executable they could run it on other devices to obtain Duo certificates for those endpoints without your knowledge.

Chrome Browser Configuration

Duo's certificate package for Windows configures Internet Explorer to automatically select the Duo device certificate when requested by the Duo authentication prompt. Google Chrome requires additional steps to make the same change. Without this, users are prompted to select the Duo device certificate when they authenticate. You can distribute the Chrome browser configuration via AD Group Policy to PC clients joined to a domain. Standalone clients must be configured with Microsoft's LGPO utility.

Configure Chrome with EAM and LGPO

Click the two download links in the the "Download Files to Configure Google Chrome" section of the Windows Enterprise Asset Management Tool page (step 1). The downloaded file names will be similar to chrome_cert_lgpo_policy-1.0.pol and duo_chrome_configuration.bat.

Extract the LGPO.exe executable from the zip file downloaded in step 1 and copy it and the .pol and .bat files downloaded from Duo in step 2 to your Windows endpoint management system.

Create a software package for your Windows endpoints to run the Chrome configuration batch script (which calls LGPO.exe and the Chrome policy .pol file). Your package should include all three files.

Create a deployment job to run the Duo certificate software package on your Windows endpoints. Unlike the Duo Certificate scheduled task, the Chrome configuration only needs to run once on a computer.

Configure Chrome with GPO

Expand your forest and navigate down the tree to Group Policy Objects. Right-click the Group Policy Objects folder and click New. Enter a name for the new GPO (such as "Duo Chrome Certificate Policy") and click OK.

Right-click the new GPO created in step 2 and click Edit.

Navigate to User Configuration\Preferences\Windows Settings\Registry.

Download the Chrome Configuration.xml file, which contains the GPO registry settings necessary to configure Chrome to select the Duo certificate automatically. Save this file in a location accessible from the GPMC console. The downloaded file name will be similar to chrome_cert_gpo_config-1.xml.

Return to the Group Policy editor window and copy/paste the downloaded Chrome XML file (from an Explorer window — not the file contents) into the "Registry" pane on the right of the GPO editor window. Confirm import of the pasted document by clicking Yes.

This adds registry settings under the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\AutoSelectCertificateForUrls key to the GPO.

This registry value lets Chrome automatically select the Duo device certificate when requested by the Duo browser prompt without prompting the user interactively to select the certificate.

When you've finished configuring all settings, close the Group Policy editor window.

Apply the newly created Duo Chrome certificate GPO by linking it to OUs containing the domain client computers used to access Duo resources.

Finish Trusted Endpoints Deployment

Once your managed computers start receiving the Duo certificate you can configure the Trusted Endpoints policy to start checking for the certificate as users authenticate to Duo-protected services and applications.

When your trusted endpoints policy is applied to your Duo applications, enable it by clicking the Change link at the top of the page next to "Integration is disabled". You can choose to either activate this management integration for just members of a specified test group or groups, or activate for all users.

The Device Insight and Endpoints pages in the Duo Admin Panel show which access devices have the Duo certificate present.

Next Steps

As more of your devices receive the Duo certificate you can change the integration activation to apply to all users (if you just targeted test groups before), adjust your trusted endpoints policy to expand the target group, apply it to additional protected services, or start blocking access to applications from devices that do not have the Duo certificate. See the Trusted Endpoints documentation for more information.